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DETAILED ACTION 

This action is in response to the papers filed 7/09/2008 



Response to arguments 

Applicant's arguments have been fully considered but they are not persuasive. 
Kair teaches the vulnerability score is a product of a frequency score, a severity score, a 
criticality score and a trust score. Kair teaches F (the security vulnerability score) is 
computed by F = 100-V-E. Where V = min(70, (70V h H h + 42V m H m + 14V,H, ) / H n )) and E 
= min(30, £ from y=1 to H n {Ry + Wy + 30Ty}. In column 64 line 20-50 Kair teaches the 
frequency score is based on a percentage of host experiencing the detected security 
vulnerability in the system. This is calculated in the V part of the security vulnerability 
score where Hh Hm H/_ make up the number of host that have high, medium and low 
vulnerabilities on them. The severity score is also calculated in the V part of the security 
vulnerability score where high vulnerability are multiplied by 70 (root access) medium by 
42 and low by 14. In column 66 lines 4-19 Kair teaches the criticality score is based on 
whether at least one of confidential data and personal data in on the system is 
calculated in the E part of the security vulnerability score. Ty part is nodes with Trojan 
horse that can get access to usernames passwords resources and host data on a node. 
The trusted score is the nodes that don't have a high medium or low vulnerability of the 
total nodes on the network Hn. 
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Claim Rejections - 35 USC § 103 

The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

Claims 1,4-9, 12, 15-20 23, and 25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kair (US 7,243,148) in further view of Bellemore (5,944,825). 

With respect to claim 1 , 12, 23 and 25, Kair teaches the method for providing 
automated tracking of security vulnerabilities, comprising: using a computer device to 
perform a security vulnerability assessment on a system (see abstract); detecting the 
presence of a security vulnerability in the system; and responsive to detecting the 
presence of the security vulnerability (see column 13 lines 4-20); storing data obtained 
from the security vulnerability assessment in a security vulnerabilities database (see 
column 13 lines 4-20 and column 17 lines 27-38); determining using a computer 
program, a security vulnerability score, the security vulnerability score being a product 
of a frequency score, a severity score, a criticality score and a trust score (see figure 9- 
11,14 and column 62 line 3 - column 66 line 1 9), the frequency score based on a 
percentage of host experiencing the detected security vulnerability in the system (see 
column 64 line 20-50 i.e. H H H M H L ), the criticality score based on whether at least one 
of confidential data and personal data in on the system (see column 64 lines 51-67). 

Kair fails to explicitly disclose determining a time to fix a security vulnerability 
identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score. 
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Bellemore discloses a method of assessing a particular host for security 
vulnerabilities in which he teaches determining a time to fix a security vulnerability 
identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score (see Bellemore column 5, lines 16-34). It would 
have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains to have given an allotted time for fixing 
the vulnerability before disabling will occur to protect the system (i.e. password 
disabling)(see Bellemore column 5, lines 16-34). Therefore one would have been 
motivated to have set a time limit for security vulnerability to be fixed to increase the 
security of the system 

With respect to claim 5 and 16, entering an IP address associated with the 
security vulnerabilty and a description of the detected security vulnerability in a tracking 
database. (See Kair column 70 lines 28-60) 

With respect to claim 6 and 17, determining delinquent security vulnerabilities 
based upon the determined time to fix the vulnerability detected by the security 
vulnerability assessment (see Bellemore column 5, lines 16-34). 

With respect to claim 8 and 19, re-running a scan profile when notification is 
received that the security vulnerability has been fixed (See Keir column 13 lines 4-35 
and column 69 lines 44-56). 

With respect to claim 9 and 20, determining whether the security vulnerability still 
exists and archiving records associated with the security vulnerability when the security 
vulnerability does not exist (see Kair column 69 line 35 - column 72 line 56). 
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With respect to claims 27 and 29, wherein the severity score is based on whether 
a host will allow root compromise (see column 64 lines 51-67) and whether the security 
vulnerability is remotely exploitable (see column 62 line 3 - column 66 line 19). 

With respect to claims 28 and 30, wherein the trust score is based on whether 
the system is isolated (see column 62 line 3 - column 66 line 19). 

Claims 10, 11, 21, 22 and 26 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kair (US 7,243,148) in view of Bellemore (5,944,825) in further view 
of Dahlstrom et al (2004/0006704). With respect to claim 10, 21, 24 and 26, a method 
for determining a criticality factor for a security vulnerability in a computer system, 
comprising: Entering in a database security vulnerabilities detected in the computer 
system during a security vulnerability assessment (see Kair column 13 lines 4-20 and 
column 17 lines 27-38). Assigning a security vulnerability factor to a detected security 
vulnerability based upon a criticality of an element in the system, a severity of the 
security vulnerability with the system and isolation of the system (see Kair column 62 
line 3 -column 66 line 19). 

Kair does not teach measuring a frequency of occurrence for the detected 
security vulnerabilities and Assigning a security vulnerability factor to a detected 
security vulnerability based upon the frequency of occurrence of the security 
vulnerability in the system. Dahlstrom teaches Measuring a frequency of occurrence for 
the detected security vulnerabilities, (see Dahistrom paragraph 0042 and 0067). It 
would have been obvious at the time the invention was made to a person having 
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ordinary skill in the art to which said subject matter pertains to have kept track of the 
frequency a security vulnerability occurs to provide an overall summaries of vulnerability 
tracking within the organization or with respect to a particular product. The tracking 
information may also include statistical information such as means, medians, ranges, 
and deviations derived by tracking system (see paragraph 0042). Therefore one would 
have been motivated to have tracked the security vulnerability. 

With respect to claim 1 1 and 22, wherein the criticality of an element in the 
system is based on whether at least one of confidential data and personal data in on the 
system and whether information on the element is used aggregation (see column 64 
lines 51-67). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. 

/Devin Almeida/ 

Patent Examiner, GAU 2132 

/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 



